1 1 WEDNESDAY May 18 THE ACC, MID-AMERICA CHAPTER Mutual of Omaha Insurance Co. Omaha, NE 12:00 PM LAURA CLARK FEY, Esq., CIPP/US, CIPP/E, CIPM Fey LLC, Leawood, KS
Agenda 2 BYOD Stats Legal Risks Associated with BYOD Recommendations to Address Legal Risks
3 3
BYOD Adoption 4 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)
BYOD Availability by Sector 5 bitglass Source: How Forward-Looking Industries Secure BYOD, 2016 (Bitglass)
Supported Users 6 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)
BYOD Drivers and Benefits 7 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)
BYOD Barriers 8 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)
BYOD Security Concerns 9 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)
Why Mobile Devices Pose a Risk in the Workplace 10 Source: The Economic Risk of Confidential Data on Mobile Devices in the Workplace, 2016 (Ponemon)
Company-Related Data Employees Access through Mobile Devices Versus What Information Security Thinks They Can Access 11 Source: The Economic Risk of Confidential Data on Mobile Devices in the Workplace, 2016 (Ponemon)
Mobile Data Breaches 12 Source: The Economic Risk of Confidential Data on Mobile Devices in the Workplace, 2016 (Ponemon)
Risk Control Measures 13 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)
Risk Control Measures 14 Source: The Economic Risk of Confidential Data on Mobile Devices in the Workplace, 2016 (Ponemon)
Risk Control Measures 15 Source: The Economic Risk of Confidential Data on Mobile Devices in the Workplace, 2016 (Ponemon)
16 16
Special Challenges for Protecting PII and Other Confidential Information on Personal Devices 17 Personal devices are commonly lost or stolen Hard to enforce security requirements on personal devices Employees selling or trading in devices may fail to completely and securely delete sensitive information
Wiping Data from Devices Upon Employee Departure 18 Source: BYOD and Mobile Security Report, 2016 (Crowd Research Partners)
Failure to Comply with Privacy Obligations to Consumers 19 HIPAA Gramm-Leach-Bliley FINRA PCI DSS EU General Data Protection Regulation (May 25, 2018)
Failure to Comply with Privacy Obligations to Employees 20 Some jurisdictions require notice prior to any employee monitoring Intrusion on employee privacy may result in litigation Loss of employee-owned data on a personal device also may result in litigation
Failure to Comply with Privacy Obligations Can Result in Data Breaches 21 Data breach notification obligations Regulatory or state attorney general investigations Civil lawsuits
Failure to Comply with Legal Hold Obligations 22 Legal hold obligations extend to personal devices when used for business purposes General Rule: Unique legal hold-related information on personal devices must be preserved Failure to preserve can result in significant sanctions
Other Legal Risks Loss of necessary access to information by others with business needs Failure to compensate for overtime work performed remotely Liability from texting while driving accidents Breach of confidential entity data Payment disputes with employees 23
24 24 Risk Plan
Ten Recommendations to Protect Data (Including PII) on Personal Devices 25 Ensure risk assessments address personal devices Implement appropriate technology solutions Enforce prohibition on usage of banned apps Enforce screen locks, encryption, strong passwords, and anti-malware protection Require employees to keep personal devices up-to-date
Ten Recommendations to Protect Data (Including PII) on Personal Devices 26 Prohibit jailbreaking and rooting Secure your network against rogue devices Ensure ability to wipe company data from device Implement and train on procedures for selling, replacing, or discarding personal devices Define security incident procedures for personal devices
Bonus Recommendation: Implement and Train on Strong BYOD Policy 27 Consider all perspectives Develop comprehensive BYOD Policy clearly setting forth both entity s and employees rights Implement BYOD Policy through training, FAQs, and other educational resources Monitor compliance, and periodically review and update BYOD Policy Review and update related policies and procedures touching on BYOD
Five Recommendations to Address Employee Privacy Risks Require employees to segregate personal data Retain record of unambiguous, written employee consent to BYOD Policy 28 Ensure BYOD Policy clearly sets out rights to monitor, access, review, and disclose company or other data on personal devices, as well as employees obligations Address privacy concerns while planning for preservation of information on personal devices If possible, provide notice and obtain consent before wiping or destroying data on personal devices
Five Recommendations to Address Legal Hold Risks 29 Ensure policy language addressing legal hold compliance is broad enough to cover legal hold-related information on mobile devices Update legal hold procedures to cover preservation of information on personal devices Promptly identify and preserve legal hold-related information on personal devices Provide clear instructions to employees to suspend auto deletion and take other steps to guard against changing or deleting data Update offboarding processes to address preservation of legal hold-related information
Five Recommendations to Address Other Legal Risks Access to Information: Prohibit storage of unique customer/client information on personal devices Overtime Disputes: Where appropriate, prohibit non-exempt employees from working after hours; if not prohibited, require employees to account for time 30 Texting/Driving Risks: Prohibit texting while driving by policy Breach of Confidential Entity Data: Implement DLP systems and offboarding processes Payment Disputes with Employees: Clearly address who pays for the device, as well as voice and data access
ANY QUESTIONS? 31 31
32 32 For further information on developing a BYOD Policy; developing and implementing BYOD training; reviewing your organization s current processes for collecting unique information subject to legal hold from employees personal devices; or other information governance topics, please contact me. Laura Clark Fey, Esq., CIPP/US, CIPP/E, CIPM Principal, Fey LLC E - Mail: lfey@feyllc.com Direct: 913.948.6301 Mobile: 816.518.6554 Website: www.feyllc.com